On June 20, 2014, Florida Governor Rick Scott signed the Florida Information Protection Act of 2014 (“FIPA”), which will repeal Florida’s current breach notification statute at Fla. Stat. § 817.5681 and replace it with a new statute at Fla. Stat. § 501.171 effective July 1, 2014. On the same day, Governor Scott also signed SB 1526, companion legislation that adds provisions to Fla. Stat. § 501.171 exempting certain records that must be provided to Florida regulators under the FIPA from the Florida Public Records Act. This legislation appears to follow in the footsteps of legislation enacted in California by covering a broader scope of information and including additional notification methods and related obligations, but it also builds on the California model by imposing the shortest express notification deadline in the nation and granting the Florida Department of Legal Affairs broad investigative and enforcement authority. These provisions, as well as their potential impact on businesses and health care providers, are discussed in more detail below.
Expanded Definition of Personal Information
The FIPA expands the “Personal Information” capable of triggering notification obligations under Florida law in two ways. First, the FIPA adds the following health information to the list of data elements that, when included in combination with an individual’s first name or first initial and last name, are capable of triggering notification obligations:
Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or
An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.
Although FIPA also states that notice provided pursuant to regulations established by an entity’s primary or functional federal regulator—a provision important to financial institutions and health care providers—is deemed to be compliant with the FIPA’s notice requirements, certain obligations, such as the regulatory notification and data security obligations discussed below, still apply.
Second, FIPA states that a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account, is capable of triggering breach notification obligations regardless of whether it is included in combination with an individual’s first name or first initial and last name. This provision is similar to California’s recently expanded breach notification statute, as discussed previously. Like its California analog, this provision expands the FIPA’s reach and could lead to more instances in which breach notification is required.
It should also be noted that, as was the case previously under Florida law, only unencrypted, computerized personal information can trigger the FIPA’s notification provisions.
30-Day Notification Deadline
The FIPA requires notification of affected individuals and regulatory agencies as expeditiously as possible but not later than 30 days after the determination of a breach or reason to believe a breach has occurred—the shortest express notification deadline in the country. An entity may receive an additional 15 days to provide notice to affected individuals if good cause for the delay is provided, in writing, to the Florida Department of Legal Affairs within 30 days of breach discovery. This new 30-day deadline promises to raise issues regarding breach discovery date and investigation duration that entities may need to address in their information security policies and procedures.
Regulatory Notification Requirements
Under the FIPA, entities must provide written notice to the Florida Department of Legal Affairs regarding any breach of security affecting 500 or more Florida residents as expediently as possible both not later than 30 days after determination of a breach or reason to believe a breach has occurred. This notice must contain specific information, including an explanation of any services being offered without charge by the entity and instructions on how to use those services as well as the number of affected Florida residents. Further, as noted above, even if an entity notifies affected individuals pursuant to regulations promulgated by its primary federal regulator, it must still provide a copy of such notice to the Florida Department of Legal Affairs in order to be deemed compliant with the FIPA.
Risk of Harm Documentation
Like its predecessor (but unlike its California analog), the FIPA retains a “risk of harm” standard, which states that notice to affected individuals is not required if, after an appropriate investigation and consultation with relevant law enforcement agencies, the entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed. Also like its predecessor, the FIPA requires that such a determination be documented in writing and maintained for 5 years. However, the FIPA also requires that the entity provide its written determination to the Florida Department of Legal Affairs within 30 days after the determination. This new requirement adds a level of transparency that few other breach notification statutes can match, and entities may need to revisit their breach determination and documentation policies and procedures to ensure they are ready to comply with this provision.
Investigative Provisions and Public Records Implications
Under the FIPA, entities must provide police reports, incident reports, computer forensics reports, policies and procedures regarding breaches, and steps taken to rectify a breach to the Florida Department of Legal Affairs upon request. Recognizing that these materials could be subject to further disclosure under Florida’s Public Records Act once provided to the Florida Department of Legal Affairs, the Florida legislature simultaneously enacted SB 1526, which states that information provided to the Department pursuant to notification under the FIPA is confidential and exempt from further disclosure under the Public Records Act during an active investigation except in certain limited circumstances. Further, upon completion of an investigation or when an investigation ceases to be active, certain information provided to the Department pursuant to notification under the FIPA, including all personal information, computer forensic reports, information that would reveal weaknesses in an entity’s data security, and an entity’s proprietary information, remains confidential and exempt from disclosure under the Florida Public Records Act. SB 1526 notwithstanding, the FIPA’s broad investigative provisions could have a significant impact on an entity’s process for documenting its investigation of an incident. Moreover, many investigations and the resulting reports are conducted and provided at the direction of legal counsel, so this may create issues as to whether the statutory obligation to provide reports overrides the attorney-client privilege and work product doctrine.
Like its predecessor, an entity that violates the FIPA’s provisions regarding notification of affected individuals or Florida regulators is liable for a civil penalty of $1,000 per day up to 30 days following any violation and $50,000 per 30 day period thereafter up to a maximum total of $500,000. These penalties apply per breach and not per individual affected by the breach. However, the FIPA also states that violations are to be treated as unfair or deceptive trade practices under Florida law. Additionally, the FIPA specifically states that it does not create a private right of action.
Data Security and Record Disposal Requirements
The FIPA includes an affirmative data security obligation that requires entities and their third party agents to take reasonable measures to protect and secure data in electronic form containing personal information. Additionally, the FIPA requires entities to take all reasonable measures to dispose of or arrange for disposal of customer records in any form that contain personal information via shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means. Florida regulators will likely review the facts and circumstances of a reported breach against these standards, potentially resulting in additional statutory violations and penalties.
Notification by Email
In addition to traditional written notice sent to an affected individual’s mailing address, an entity can also satisfy its notification obligations under the FIPA by emailing notice to an affected individual’s email address. Unlike many other states that only permit email notification in certain circumstances as a form of substitute notice, the FIPA allows email notification as a method of satisfying affected individual notification obligations generally, potentially allowing entities to avoid significant costs associated with printing and mailing notification letters to large numbers of affected individuals.